a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Size

593KB
MD5

3673d5090b77a0b033da84545fda2f0f
SHA1

010d2e93a19af30eb6f17052abd855933edc4873
SHA256

a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33
SHA512

05f91a2f9dc112b80bdca6db4ccc907041ad267812d9aa514d513c2d9673b9b4aed48699bf019d2dc95e7101bb9601334d6e17d4f77f7ba2fb85303f3c7349de
SSDEEP

12288:a39mSPuqDWEB1l9gvW01XM/f85jsz1+ruUA+lpOxuGzVg7I:ymS2savWoXEqsB+S+lUkGO7I

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	MsiExec.exe
1928	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	1572	msiexec.exe
12	1572	msiexec.exe
15	1572	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
3540	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2132	3540	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	86
PID 3540 wrote to memory of 2132	3540	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	86
PID 3540 wrote to memory of 2132	3540	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	86
PID 2132 wrote to memory of 1572	2132	setup.exe	88
PID 2132 wrote to memory of 1572	2132	setup.exe	88
PID 2132 wrote to memory of 1572	2132	setup.exe	88
PID 2452 wrote to memory of 1928	2452	msiexec.exe	90
PID 2452 wrote to memory of 1928	2452	msiexec.exe	90
PID 2452 wrote to memory of 1928	2452	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\SP-Fantasy_Installer.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 502AA4201E50030261C7A8458163DAFC C
  2⤵
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC66D.tmp

Filesize
222KB

MD5
fb4ed24de182178cac3cd3870a4ba5b6

SHA1
38b168fbe97b72a5de5eaef16535ea1aed964e1b

SHA256
5070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578

SHA512
03ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\SP-Fantasy_Installer.msi

Filesize
524KB

MD5
149c5470d721e646952cea819487ff28

SHA1
5e6ee0a902135f80aea5adace0ea07c03cb82b4e

SHA256
f8ca4710cf343b7afe9fd6003a8387374a709feb5929f7bc0ff54c5cea5148b7

SHA512
a2cbf9418d207d8321050cbef4fde3900f9b857441f5e22f400a7eadc948c0ee421946e0208af5761ba34f6b2e58c52f7fe632a22cc487c261c577d4747b5cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\luiBD55.tmp\setup.exe

Filesize
366KB

MD5
b07a06446303767f1c8c26bc1ef83baf

SHA1
94aa8c6ddd5f6e96867e997f150c63ebf1fc0019

SHA256
349df2da098acb773284ebf50503cab096c949cf4bb63d75e96d75bed7937564

SHA512
be1592432745c66e7c5eef56dd452ca32dd9e461eb7522cd3e58a2dde8f4341c46aa2fa44be1a72151e259dd2fd7cb246091040e05486a5ee5f042077dd234a4

Download Submit